NDLI: AMNESIA: analysis and monitoring for NEutralizing SQL-injection attacks

Please wait, while we are loading the content...

Exploiting predicate structure for efficient reachability detection

A component model for internet-scale applications

Identifying traits with formal concept analysis

Blowtorch: a framework for firewall test automation

ClassSheets: automatic generation of spreadsheet applications from object-oriented specifications

Secure sharing between untrusted users in a transparent source/binary deployment model

Timna: a framework for automatically combining aspect mining analyses

A generic approach to supporting diagram differencing and merging for collaborative design

Automatic verification of design patterns in Java

Automated replay and failure detection for web applications

Automated test generation for engineering applications

yagg: an easy-to-use generator for structured test inputs

Bamboo: an architecture modeling and code generation framework for configuration management systems

Introduction to doctoral symposium

Specification and automated processing of security requirements (SAPS'05)

The power of software

Application of design for verification with concurrency controllers to air traffic control software

Automating the performance management of component-based enterprise systems through the use of redundancy

Precise identification of composition relationships for UML class diagrams

An analysis of rule coverage as a criterion in generating minimal test suites for grammar-based software

Generation of visual editors as eclipse plug-ins

Automating experimentation on distributed testbeds

A parameterized interpreter for modeling different AOP mechanisms

Visualization-based analysis of quality for large-scale software systems

Optimized run-time race detection and atomicity checking using partial discovered types

Locating faulty code using failure-inducing chops

Let's agree to disagree

Determining the cost-quality trade-off for automated software traceability

Using communicative acts in high-level specifications of user interfaces for their automated synthesis

Automated generation of testing tools for domain-specific languages

Software security assurance tools, techniques and metrics (SSATTM)

Virtual humans: lessons learned in integrating a large-scale AI project

Efficient temporal-logic query checking for presburger systems

UMLDiff: an algorithm for object-oriented design differencing

On dynamic feature location

Automatic test factoring for java

Clearwater: extensible, flexible, modular code generation

AMNESIA: analysis and monitoring for NEutralizing SQL-injection attacks

Reasoning about real-time statecharts in the presence of semantic variations

Empirical evaluation of the tarantula automatic fault-localization technique

A similarity-aware approach to testing based fault localization

A uniform deductive approach for parameterized protocol safety

A tool for automatic UML model consistency checking

Constructing interaction test suites with greedy algorithms

3rd international workshop on traceability in emerging forms of software engineering (TEFSE 2005)

Designing and implementing a family of intrusion detection systems

Process support to help novices design software faster and better

A component-based development framework for supporting functional and non-functional analysis in control system design

Automated population of causal models for improved software risk assessment

Verifying the correctness of hume programs: an approach combining deductive and algorithmic reasoning

Software certificate management (SoftCeMent'05)

The PLUSS toolkit?: extending telelogic DOORS and IBM-rational rose to support product line use case modeling

A rigorous approach for proving model refactorings

A model transformation approach to automatic model construction and evolution

2nd Workshop on the state of the art in automated software engineering

A strategy for efficient verification of relational specifications, based on monotonicity analysis

Compositional reasoning for port-based distributed systems

Formal support for merging and negotiation

Quasi-random testing

Model-based self-monitoring embedded programs with temporal logic specifications

In regression testing selection when source code is not available

Constraint-based test data generation in the presence of stack-directed pointers

Specialization and extrapolation of software cost models

QoS-aware dynamic service composition in ambient intelligence environments

NFRs-aware architectural evolution of component-based software

A visual language and environment for composing web services

Code security analysis with assertions

Learning to verify branching time properties

Data mining and cross-checking of execution traces: a re-interpretation of Jones, Harrold and Stasko test information

Simon: modeling and analysis of design space structures

Properties and scopes in web model checking

Lattice-based adaptive random testing

Synthesis of correct and distributed adaptors for component-based systems: an automatic approach

A unified fitness function calculation rule for flag conditions to improve evolutionary testing

A context-sensitive structural heuristic for guided search model checking

A threat-driven approach to modeling and verifying secure software

Test input generation for red-black trees using abstraction

Automated path generation for software fault localization

Testing in resource constrained execution environments

EA-Miner: a tool for automating aspect-oriented requirements identification

Prufrock: a framework for constructing polytypic theorem provers

AMNESIA: analysis and monitoring for NEutralizing SQL-injection attacks

Content Provider	ACM Digital Library
Author	Halfond, William G. J. Orso, Alessandro
Abstract	The use of web applications has become increasingly popular in our routine activities, such as reading the news, paying bills, and shopping on-line. As the availability of these services grows, we are witnessing an increase in the number and sophistication of attacks that target them. In particular, SQL injection, a class of code-injection attacks in which specially crafted input strings result in illegal queries to a database, has become one of the most serious threats to web applications. In this paper we present and evaluate a new technique for detecting and preventing SQL injection attacks. Our technique uses a model-based approach to detect illegal queries before they are executed on the database. In its static part, the technique uses program analysis to automatically build a model of the legitimate queries that could be generated by the application. In its dynamic part, the technique uses runtime monitoring to inspect the dynamically-generated queries and check them against the statically-built model. We developed a tool, AMNESIA, that implements our technique and used the tool to evaluate the technique on seven web applications. In the evaluation we targeted the subject applications with a large number of both legitimate and malicious inputs and measured how many attacks our technique detected and prevented. The results of the study show that our technique was able to stop all of the attempted attacks without generating any false positives.
Starting Page	174
Ending Page	183
Page Count	10
File Format	PDF
ISBN	1581139934
DOI	10.1145/1101908.1101935
Language	English
Publisher	Association for Computing Machinery (ACM)
Publisher Date	2005-11-07
Publisher Place	New York
Access Restriction	Subscribed
Subject Keyword	Static analysis Runtime monitoring Sql injection
Content Type	Text
Resource Type	Article

Central Library (ISO-9001:2015 Certified)
Indian Institute of Technology Kharagpur
Kharagpur, West Bengal, India | PIN - 721302

See location in the Map
03222 282435
Mail: support@ndl.gov.in

Sl.	Authority	Responsibilities	Communication Details
1	Ministry of Education (GoI), Department of Higher Education	Sanctioning Authority	https://www.education.gov.in/ict-initiatives
2	Indian Institute of Technology Kharagpur	Host Institute of the Project: The host institute of the project is responsible for providing infrastructure support and hosting the project	https://www.iitkgp.ac.in
3	National Digital Library of India Office, Indian Institute of Technology Kharagpur	The administrative and infrastructural headquarters of the project	Dr. B. Sutradhar bsutra@ndl.gov.in
4	Project PI / Joint PI	Principal Investigator and Joint Principal Investigators of the project	Dr. B. Sutradhar bsutra@ndl.gov.in Prof. Saswat Chakrabarti will be added soon
5	Website/Portal (Helpdesk)	Queries regarding NDLI and its services	support@ndl.gov.in
6	Contents and Copyright Issues	Queries related to content curation and copyright issues	content@ndl.gov.in
7	National Digital Library of India Club (NDLI Club)	Queries related to NDLI Club formation, support, user awareness program, seminar/symposium, collaboration, social media, promotion, and outreach	clubsupport@ndl.gov.in
8	Digital Preservation Centre (DPC)	Assistance with digitizing and archiving copyright-free printed books	dpc@ndl.gov.in
9	IDR Setup or Support	Queries related to establishment and support of Institutional Digital Repository (IDR) and IDR workshops	idr@ndl.gov.in